Conversation
… without being escaped (#1288) Fluid escapes variable output by default to prevent XSS. In some cases, however, values originate from a trusted/sanitized source (e.g. HTML generated from a sanitizer, CMS RTE output, a Markdown renderer with a strict allow-list, …) and should be rendered as HTML without forcing template authors to opt out of escaping via `f:format.raw` or similar. This change introduces a marker interface `TYPO3Fluid\Fluid\Core\Parser\UnsafeHTML` for values that should be rendered unescaped. Any object implementing this interface will bypass Fluid’s escaping and will be output as-is via `__toString()`. For now, this interface is marked as `@internal` to be able to make adjustments within the Fluid 5 branch, if necessary. A small helper value object `UnsafeHTMLString` is included for convenience. Example (PHP): ````php use TYPO3Fluid\Fluid\Core\Parser\UnsafeHTMLString; // $safeHtml must already be sanitized/escaped appropriately $view->assign('content', new UnsafeHTMLString($safeHtml)); ```` Template: ````html {content} ```` Technical notes: - `EscapingNode` now detects `UnsafeHTML` and returns the value unescaped. - The compiled escaping closure generated by the `TemplateCompiler` includes the same check, so compiled templates behave identically. - Boolean expression evaluation unwraps `UnsafeHTML` to a string first, so empty HTML values behave like empty strings in conditions (e.g. `{content}` is false when it’s `''`). Tests/examples have been adjusted accordingly.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fluid escapes variable output by default to prevent XSS. In some cases,
however, values originate from a trusted/sanitized source (e.g. HTML
generated from a sanitizer, CMS RTE output, a Markdown renderer with
a strict allow-list, …) and should be rendered as HTML without forcing
template authors to opt out of escaping via
f:format.rawor similar.This change introduces a marker interface
TYPO3Fluid\Fluid\Core\Parser\UnsafeHTMLfor values that should berendered unescaped. Any object implementing this interface will
bypass Fluid’s escaping and will be output as-is via
__toString().For now, this interface is marked as
@internalto be able to makeadjustments within the Fluid 5 branch, if necessary.
A small helper value object
UnsafeHTMLStringis included for convenience.Example (PHP):
Template:
{content}Technical notes:
EscapingNodenow detectsUnsafeHTMLand returns the value unescaped.TemplateCompilerincludes the same check, so compiled templates behave identically.
UnsafeHTMLto a string first,so empty HTML values behave like empty strings in conditions
(e.g.
{content}is false when it’s'').Tests/examples have been adjusted accordingly.